From 3dcc386b6f19682f124dbba62bbd0d47b750a49b Mon Sep 17 00:00:00 2001 From: ed Date: Sun, 16 Jul 2023 22:00:04 +0000 Subject: [PATCH] v1.8.3 --- README.md | 4 ++ contrib/nixos/modules/copyparty.nix | 2 +- copyparty/__version__.py | 4 +- docs/changelog.md | 66 +++++++++++++++++++++++++++++ scripts/docker/README.md | 5 --- scripts/test/smoketest.py | 28 ++++++++---- 6 files changed, 92 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index ee988013..a5ba600d 100644 --- a/README.md +++ b/README.md @@ -491,6 +491,9 @@ images with the following names (see `--th-covers`) become the thumbnail of the in the grid/thumbnail view, if the audio player panel is open, songs will start playing when clicked * indicated by the audio files having the ▶ icon instead of 💾 +enabling `multiselect` lets you click files to select them, and then shift-click another file for range-select +* `multiselect` is mostly intended for phones/tablets, but the `sel` option in the `[⚙️] settings` tab is better suited for desktop use, allowing selection by CTRL-clicking and range-selection with SHIFT-click, all without affecting regular clicking + ## zip downloads @@ -613,6 +616,7 @@ file selection: click somewhere on the line (not the link itsef), then: * `up/down` to move * `shift-up/down` to move-and-select * `ctrl-shift-up/down` to also scroll +* shift-click another line for range-select * cut: select some files and `ctrl-x` * paste: `ctrl-v` in another folder diff --git a/contrib/nixos/modules/copyparty.nix b/contrib/nixos/modules/copyparty.nix index 1e64ecdf..1a305942 100644 --- a/contrib/nixos/modules/copyparty.nix +++ b/contrib/nixos/modules/copyparty.nix @@ -138,7 +138,7 @@ in { "d" (delete): permanently delete files and folders "g" (get): download files, but cannot see folder contents "G" (upget): "get", but can see filekeys of their own uploads - "a" (upget): can see uploader IPs + "a" (upget): can see uploader IPs, config-reload For example: "rwmd" diff --git a/copyparty/__version__.py b/copyparty/__version__.py index a0547ec0..42363439 100644 --- a/copyparty/__version__.py +++ b/copyparty/__version__.py @@ -1,8 +1,8 @@ # coding: utf-8 -VERSION = (1, 8, 2) +VERSION = (1, 8, 3) CODENAME = "argon" -BUILD_DT = (2023, 7, 14) +BUILD_DT = (2023, 7, 16) S_VERSION = ".".join(map(str, VERSION)) S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT) diff --git a/docs/changelog.md b/docs/changelog.md index 1b24c00d..503f8272 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -1,3 +1,69 @@ +▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ +# 2023-0714-1558 `v1.8.2` URGENT: fix path traversal vulnerability + +* read-only demo server at https://a.ocv.me/pub/demo/ +* [docker image](https://github.com/9001/copyparty/tree/hovudstraum/scripts/docker) ╱ [similar software](https://github.com/9001/copyparty/blob/hovudstraum/docs/versus.md) ╱ [client testbed](https://cd.ocv.me/b/) + +Starting with the bad and important news; this release fixes https://github.com/9001/copyparty/security/advisories/GHSA-pxfv-7rr3-2qjg / [CVE-2023-37474](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37474) -- so please upgrade! + +Every version until now had a [path traversal vulnerability](https://owasp.org/www-community/attacks/Path_Traversal) which allowed read-access to any file on the server's filesystem. To summarize, +* Every file that the copyparty process had the OS-level permissions to read, could be retrieved over HTTP without password authentication +* However, an attacker would need to know the full (or copyparty-module-relative) path to the file; it was luckily impossible to list directory contents to discover files on the server +* You may have been running copyparty with some mitigations against this: + * [prisonparty](https://github.com/9001/copyparty/tree/hovudstraum/bin#prisonpartysh) limited the scope of access to files which were intentionally given to copyparty for sharing; meaning all volumes, as well as the following read-only filesystem locations: `/bin`, `/lib`, `/lib32`, `/lib64`, `/sbin`, `/usr`, `/etc/alternatives` + * the [nix package](https://github.com/9001/copyparty#nix-package) has a similar mitigation implemented using systemd concepts + * [docker containers](https://github.com/9001/copyparty/tree/hovudstraum/scripts/docker) would only expose the files which were intentionally mounted into the container, so even better +* More conventional setups, such as just running the sfx (python or exe editions), would unfortunately expose all files readable by the current user +* The following configurations would have made the impact much worse: + * running copyparty as root + +So, three years, and finally a CVE -- which has been there since day one... Not great huh. There is a list of all the copyparty alternatives that I know of in the `similar software` link above. + +Thanks for flying copyparty! And especially if you decide to continue doing so :-) + +## new features +* #43 volflags to specify thumbnailer behavior per-volume; + * `--th-no-crop` / volflag `nocrop` to specify whether autocrop should be disabled + * `--th-size` / volflag `thsize` to set a custom thumbnail resolution + * `--th-convt` / volflag `convt` to specify conversion timeout +* #45 resulted in a handful of opportunities to tighten security in intentionally-dangerous setups (public folders with anonymous uploads enabled): + * a new permission, `a` (in addition to the existing `rwmdgG`), to show the uploader-IP and upload-time for each file in the file listing + * accidentally incompatible with the `d2t` volflag (will be fixed in the next ver) + * volflag `nohtml` is a good defense against (un)intentional XSS; it returns HTML-files and markdown-files as plaintext instead of rendering them, meaning any malicious `